[Freeipa-users] another certmonger question
Natxo Asenjo
natxo.asenjo at gmail.com
Tue Oct 4 06:21:04 UTC 2016
hi,
On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>
> usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really
> operates on the "first" value returned (I didn't look at more recent
> versions). In this case it is the 267976717 cert. The other certs shown
> without details are for the other serial numbers that cert-find is reporting
> I can't see a way that this first usercertificate value isn't revoked and
> removed upon renewal so I can't quite figure out how you got into this
> state (and so easily as I understand it). I wasn't able to reproduce it
> myself. Do you have any idea how wide-spread this is in your infrastructure?
>
> I can see that once in this state that any "extra" certs would just be
> stuck there, never to be revoked.
>
This is happening all over the place.
I guess I will have to script this: retrieve the usercertificate attribute
of the host computers, get their 'not before/not after' and serial number
values, and revoke the oldest valid ones in case there is more than one
valid one. This should not be very hard.
I need to monitor the certmonger status as well, a nagios plugin should do
the trick.
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161004/6944f5af/attachment.htm>
More information about the Freeipa-users
mailing list